Appendix L: Events to Monitor

Appendix L: Events to Monitor

The following table lists events that you should monitor in your environment, according to the recommendations provided in Monitoring Active Directory for Signs of Compromise. In the following table, the "Current Windows Event ID" column lists the event ID as it is implemented in versions of Windows and Windows Server that are currently in mainstream support.

The "Legacy Windows Event ID" column lists the corresponding event ID in legacy versions of Windows such as client computers running Windows XP or earlier and servers running Windows Server 2003 or earlier. The "Potential Criticality" column identifies whether the event should be considered of low, medium, or high criticality in detecting attacks, and the "Event Summary" column provides a brief description of the event.

A potential criticality of High means that one occurrence of the event should be investigated. Potential criticality of Medium or Low means that these events should only be investigated if they occur unexpectedly or in numbers that significantly exceed the expected baseline in a measured period of time. All organizations should test these recommendations in their environments before creating alerts that require mandatory investigative responses. Every environment is different, and some of the events ranked with a potential criticality of High may occur due to other harmless events.

Current Windows Event ID

Legacy Windows Event ID

Potential Criticality

Event Summary

4618

N/A

High

A monitored security event pattern has occurred.

4649

N/A

High

A replay attack was detected. May be a harmless false positive due to misconfiguration error.

4719

612

High

System audit policy was changed.

4765

N/A

High

SID History was added to an account.

4766

N/A

High

An attempt to add SID History to an account failed.

4794

N/A

High

An attempt was made to set the Directory Services Restore Mode.

4897

801

High

Role separation enabled:

4964

N/A

High

Special groups have been assigned to a new logon.

5124

N/A

High

A security setting was updated on the OCSP Responder Service

N/A

550

Medium to High

Possible denial-of-service (DoS) attack

1102

517

Medium to High

The audit log was cleared

4621

N/A

Medium

Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded.

4675

N/A

Medium

SIDs were filtered.

4692

N/A

Medium

Backup of data protection master key was attempted.

4693

N/A

Medium

Recovery of data protection master key was attempted.

4706

610

Medium

A new trust was created to a domain.

4713

617

Medium

Kerberos policy was changed.

4714

618

Medium

Encrypted data recovery policy was changed.

4715

N/A

Medium

The audit policy (SACL) on an object was changed.

4716

620

Medium

Trusted domain information was modified.

4724

628

Medium

An attempt was made to reset an account's password.

4727

631

Medium

A security-enabled global group was created.

4735

639

Medium

A security-enabled local group was changed.

4737

641

Medium

A security-enabled global group was changed.

4739

643

Medium

Domain Policy was changed.

4754

658

Medium

A security-enabled universal group was created.

4755

659

Medium

A security-enabled universal group was changed.

4764

667

Medium

A security-disabled group was deleted

4764

668

Medium

A group's type was changed.

4780

684

Medium

The ACL was set on accounts which are members of administrators groups.

4816

N/A

Medium

RPC detected an integrity violation while decrypting an incoming message.

4865

N/A

Medium

A trusted forest information entry was added.

4866

N/A

Medium

A trusted forest information entry was removed.

4867

N/A

Medium

A trusted forest information entry was modified.

4868

772

Medium

The certificate manager denied a pending certificate request.

4870

774

Medium

Certificate Services revoked a certificate.

4882

786

Medium

The security permissions for Certificate Services changed.

4885

789

Medium

The audit filter for Certificate Services changed.

4890

794

Medium

The certificate manager settings for Certificate Services changed.

4892

796

Medium

A property of Certificate Services changed.

4896

800

Medium

One or more rows have been deleted from the certificate database.

4906

N/A

Medium

The CrashOnAuditFail value has changed.

4907

N/A

Medium

Auditing settings on object were changed.

4908

N/A

Medium

Special Groups Logon table modified.

4912

807

Medium

Per User Audit Policy was changed.

4960

N/A

Medium

IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this computer. Verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations.

4961

N/A

Medium

IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer.

4962

N/A

Medium

IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay.

4963

N/A

Medium

IPsec dropped an inbound clear text packet that should have been secured. This is usually due to the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt.

4965

N/A

Medium

IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer. This error may also indicate interoperability problems with other IPsec implementations. In that case, if connectivity is not impeded, then these events can be ignored.

4976

N/A

Medium

During Main Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.

4977

N/A

Medium

During Quick Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.

4978

N/A

Medium

During Extended Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.

4983

N/A

Medium

An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.

4984

N/A

Medium

An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.

5027

N/A

Medium

The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.

5028

N/A

Medium

The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.

5029

N/A

Medium

The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.

Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

5120

N/A

Medium

OCSP Responder Service Started

5121

N/A

Medium

OCSP Responder Service Stopped

5122

N/A

Medium

A configuration entry changed in OCSP Responder Service

5123

N/A

Medium

A configuration entry changed in OCSP Responder Service

5376

N/A

Medium

Credential Manager credentials were backed up.

5377

N/A

Medium

Credential Manager credentials were restored from a backup.

5453

N/A

Medium

An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started.

5480

N/A

Medium

IPsec Services failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.

5483

N/A

Medium

IPsec Services failed to initialize RPC server. IPsec Services could not be started.

5484

N/A

Medium

IPsec Services has experienced a critical failure and has been shut down. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.

5485

N/A

Medium

IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.

6145

N/A

Medium

One or more errors occurred while processing security policy in the Group Policy objects.

6273

N/A

Medium

Network Policy Server denied access to a user.

6274

N/A

Medium

Network Policy Server discarded the request for a user.

6275

N/A

Medium

Network Policy Server discarded the accounting request for a user.

6276

N/A

Medium

Network Policy Server quarantined a user.

6277

N/A

Medium

Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy.

6278

N/A

Medium

Network Policy Server granted full access to a user because the host met the defined health policy.

PAStore Engine failed to apply local registry storage IPsec policy on the computer.

5462

N/A

Low

PAStore Engine failed to apply some rules of the active IPsec policy on the computer. Use the IP Security Monitor snap-in to diagnose the problem.

5463

N/A

Low

PAStore Engine polled for changes to the active IPsec policy and detected no changes.

5464

N/A

Low

PAStore Engine polled for changes to the active IPsec policy, detected changes, and applied them to IPsec Services.

5465

N/A

Low

PAStore Engine received a control for forced reloading of IPsec policy and processed the control successfully.

5466

N/A

Low

PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory cannot be reached, and will use the cached copy of the Active Directory IPsec policy instead. Any changes made to the Active Directory IPsec policy since the last poll could not be applied.

5467

N/A

Low

PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, and found no changes to the policy. The cached copy of the Active Directory IPsec policy is no longer being used.

5468

N/A

Low

PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, found changes to the policy, and applied those changes. The cached copy of the Active Directory IPsec policy is no longer being used.

5471

N/A

Low

PAStore Engine loaded local storage IPsec policy on the computer.

5472

N/A

Low

PAStore Engine failed to load local storage IPsec policy on the computer.

General

Sysmon Configuration

@SwiftOnSecurity config

Recommended.

Config will assist with bringing you up to speed in relation to critical process monitoring, network utilization, and so on. Note that the concept is to not log everything, but the most important items.

100.00 percent completed
Updating $BadClust file ...
Updating $Bitmap file ...
Updating Boot record ...
Syncing device ...
Successfully resized NTFS on device '/dev/sdb2'.
You can go on to shrink the device for example with Linux fdisk.
IMPORTANT: When recreating the partition, make sure that you
1) create it at the same disk sector (use sector as the unit!)
2) create it with the same partition type (usually 7, HPFS/NTFS)
3) do not make it smaller than the new NTFS filesystem size
4) set the bootable flag for the partition if it existed before
Otherwise you won't be able to access NTFS or can't boot from the disk!
If you make a mistake and don't have a partition table backup then you
can recover the partition table by TestDisk or Parted's rescue mode.